API Exploration and Exploitation $2,800
Name of training:
API Exploration and Exploitation
SensePost, an elite ethical hacking team of Orange Cyberdefense have been training internationally since 2002. We pride ourselves on ensuring our content, our training environment and trainers are all epic in every way possible. The trainers you will meet are working penetration testers, responsible for numerous tools, talks and 0day releases. This provides you with real experiences from the field along with actual practitioners who will be able to support you in a wide range of real-world security discussions. We have years of experience building environments and labs tailored for learning, after all education is at the core of SensePost and Orange Cyberdefense.
Trainer(s) social media links:
Have you taught this training before? Where and when?
Yes, this training was delivered at Def Con Trainings 2022 in Las Vegas.
Do you have links to sites that promoted your past training so we can better understand how you presented it to the public?
No links to previous training as the Def Con site has been modified.
The use of Application Programming Interfaces (APIs) have increased over the years. Therefore, the threat landscape of organizations increases with the adoption of APIs. The content of the course creates awareness around the various attack vectors used targeting APIs and provides actionable mitigation strategies.
The aim of this course is to empower you to conduct a risk assessment of an API. This hands-on course covers API basics, setting up a test environment, API threat model, API protocols and architectures, typical vulnerabilities, enumerating an attack surface and best practices around security.
Moreover, it focuses on gaining practical experience of the OWASP Top 10 for APIs. In addition, you would be gaining practical experience on exploiting typical vulnerabilities on RESTful (REST) APIs and GraphQL. The course concludes with a capture the flag (CTF) to apply knowledge gained during the course.
This course aims to unpack the security considerations of an API and demonstrate how various attack vectors could be used to impact the security of an API.
* 2-day course
* 60% practical and 40% theoretical
* Real-world attacks and methodologies
* Delivered by active penetration testers and red team members
- Introduction to APIs
- Engaging and exploring APIs
- Enumerate the API Attack Surface
- Demystifying the OWASP Top 10 for APIs
- Exploring GraphQL
- Capture The Flag Exercise
Our training is delivered via SensePost, the specialist ethical hacking team of Orange Cyberdefense. We have trained thousands of students for the past two decades about the art of offensive and defensive approaches. It’s safe to say we enjoy teaching others how to pwn networks and applications. Our courses are developed from the work we perform for clients, so that you get a better understanding of how to exploit real-world scenarios.
Join us and hack hard!
Detailed course outline (for Def Con training review use only, please do not share publicly.)
This course consists of 6 High level Modules, +-26 Key concepts and +-30 Practicals.
Module 1: Introduction To API
* What is an API?
* The API ecosystem
* Threat model of an API
* Review of code representing an API endpoint
Practical 1 – What to do with APIs:
This practical engages candidates to look for open APIs and how they could use at least threee APIs withinin a ficticoinal scenario business / operational environment.
Module 2: Engaging with the Target API:
*Setup and configure Postman, cURL and Burp to connect to target API
*Demonstrate the various HTTP headers
*Interacting with Swagger
*Demonstrate the various HTTP methods
*Discuss the use of JWT for authetnication
Practical 2 – Abusing a JWT :
The practical would focus on creating a JWT to authenticate against an endpoint. In addition, the cracking of a JWT to target weak encryption protocols. Lastly how to resign the JWT and use with subsequent abuses.
Module 3: Enumerate API Attack Surface:
*Creating wordlists to enumerate endpoints
*Fuzzing endpoints to identify hidden endpoints
*Use of tools to create wordlists
Practical 3 – Using cewl and mentalist to create a wordlist:
The identification of endpoints are ciritical to enumerate the attack surface of APIs. This practical demonstrates the use of tools to create custom wordlists.
Module 4: Demystify the OWASP Top 10 for API:
Candidates would be exposed to the most common vulnerabilities targeting APIs. These vulnerabilities would be put into context through the use cases and allow candidates to perform the attack to get a better understanding. The focus would also be on identiifying mitigation strategies to address the risk.
*Unpack the OWASP Top 10 for APIs
*Analyze the vulnerability: Broken Object Level Authorization
*Analyze the vulnerability: Broken User Authentication
*Analyze the vulnerability: Broken Function Level Authorization
*Analyze the vulnerability: Excessive Data Exposure
*Analyze the vulnerability: Lack of Resources & Rate Limiting
*Analyze the vulnerability: Mass Assignment
*Analyze the vulnerability: Security Misconfiguration
*Analyze the vulnerability: Injection
*Analyze the vulnerability: Improper Assets Management
*Analyze the vulnerability: Insufficient Logging & Monitoring
Practical 4 – Getting to know the top vulnerabiliites for APIs :
The practicals are part of the module decribing each vulnerability. The use cases were developed to practically demonstrate each vulnerability and give the candidate opportunity to experience each vulnerability. This in turrn would create awareness on how to test for each of these vulnerabilites.
*Practical review of Use Case: Unauthorized Enumeration and Viewing
*Practical review of Use Case: Insecure JSON Web token (JWT) configuration
*Practical review of Use Case: Weak password complexity
*Practical review of Use Case: Authentication susceptible to brute force attack
*Practical review of Use Case: OTP Bypass
*Practical review of Use Case: Escalate Privileges to gain Administrative Access
*Practical review of Use Case: API Response contains Unfilter Data
*Practical review of Use Case: API Response contains Unnecessary Data
*Practical review of Use Case: Impact of Zipbombing
*Practical review of Use Case: Rate Limiting - Abuse Number of Calls to End Point
*Practical review of Use Case: Rate Limiting Enabled
*Practical review of Use Case: Privilege Escalation
*Practical review of Use Case: HTTP OPTIONS Method Enabled
*Practical review of Use Case: Verbose Error Messages
*Practical review of Use Case: Outdated Application Servers
*Practical review of Use Case: Overly permissive Cross-Origin resource sharing (CORS)
*Practical review of Use Case: SQL Injection
*Practical review of Use Case: XXE Injection
*Practical review of Use Case: Command Injection
*Practical review of Use Case: Ennumerate API to identify deprecated endpoints
*Practical review of Use Case: No authentication required to acces endpoint
*Practical review of Use Case: Logging of data
*Practical review of Use Case: Logs containing sensitive data
*Practical review of Use Case: Logs does not have sufficient data
Module 5: Exploring GraphQL from a security perspective:
*Introduction to GraphQL
*Describing the various vulnerabilities associated with GraphQL
*Discuss various techniques to secure GraphQL
Practical 5 – Introspection for the Win
Candidate would be provided with an endpoint to explore the various vulnerabilities. This includes:
- Abuse the default configuration for GraphQL could expose the supported schema and queries.
- Explore the impact of IDORs to gain access to information within the context of GraphQL.
Module 6: Capture the Flag:
The course concludes with candidates participating in a capture the flag where secret documents of a target company needs to be found. The candidates would use knowledge acquired during the course to apply this and exploit vulnerabilities within the exposed API.
Technical difficulty of the class and any required experience or skills needed:
This is an intermediate class which requires students to have a solid working understanding of the Linux command line and basic web hacking skills.
Suggested prerequisites for the class:
This is an intermediate course in penetration testing of APIs. No security related experience is required but a technical understanding of computers, networks, Linux and Windows are a must.
Please ensure you are comfortable with the Linux command line before enrolling for this course. You will be executing some commands from the command line when executing cURL to interact with the APIs.
Items students will need to provide:
You should bring a laptop with a working modern browser like Firefox or Chrome to access the APIs and online lab.
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.